[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Sun Sep 28 02:36:54 PDT 2008


On Sun, 28 Sep 2008, Michal Zalewski wrote:

> If you have faith that all these places can be patched up because we 
> tell them so, and that these who want to would be able to do so 
> consistently and reliably - look at the current history of XSRF and XSS 
> vulnerabilities.

...and consequently, the worst-case scenario for breaking a page that did 
not need the protection to begin with is that the owner easily opts out, 
in a manner that is trivial to verify across his resources; on the other 
hand, the worst-case scenario for leaving one out of thousands resources 
on Facebook, MySpace, eBay, or my wife's cat fanciers' forum, accidentally 
not protected by an opt-in mechanism in some obscure code path... is more 
or less widespread misery that is extremely hard and sometimes expensive 
to clean up.

/mz



More information about the whatwg mailing list